From 32abc345f3cd952ec30bffdacec042efbadbf2b6 Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Tue, 10 Sep 2024 15:10:46 +0200 Subject: [PATCH] Use CertType enum instead of ssl config prefix Signed-off-by: Andrey Pleskach --- .../rest/api/SecuritySSLCertsApiAction.java | 16 ++- .../TransportCertificatesInfoNodesAction.java | 8 +- .../ssl/OpenSearchSecureSettingsFactory.java | 11 +- .../security/ssl/SslSettingsManager.java | 68 ++++++------ .../security/ssl/config/CertType.java | 33 ++++++ .../ssl/rest/SecuritySSLInfoAction.java | 11 +- .../security/ssl/SslContextHandlerTest.java | 2 +- .../security/ssl/SslSettingsManagerTest.java | 101 +++++++++--------- 8 files changed, 134 insertions(+), 116 deletions(-) create mode 100644 src/main/java/org/opensearch/security/ssl/config/CertType.java diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java index 20e309e989..57dcfec301 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java @@ -32,6 +32,7 @@ import org.opensearch.security.securityconf.impl.CType; import org.opensearch.security.ssl.SslContextHandler; import org.opensearch.security.ssl.SslSettingsManager; +import org.opensearch.security.ssl.config.CertType; import org.opensearch.security.ssl.config.Certificate; import org.opensearch.security.support.ConfigConstants; import org.opensearch.threadpool.ThreadPool; @@ -43,9 +44,6 @@ import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX; /** * Rest API action to get SSL certificate information related to http and transport encryption. @@ -152,13 +150,13 @@ protected void loadCertificates(final RestChannel channel) throws IOException { .field( "http_certificates_list", generateCertDetailList( - sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).map(SslContextHandler::keyMaterialCertificates).orElse(null) + sslSettingsManager.sslContextHandler(CertType.HTTP).map(SslContextHandler::keyMaterialCertificates).orElse(null) ) ) .field( "transport_certificates_list", generateCertDetailList( - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT) .map(SslContextHandler::keyMaterialCertificates) .orElse(null) ) @@ -192,16 +190,16 @@ protected void reloadCertificates(final RestChannel channel, final RestRequest r try { switch (certType) { case "http": - if (sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX).isPresent()) { - sslSettingsManager.reloadSslContext(SSL_HTTP_PREFIX); + if (sslSettingsManager.sslConfiguration(CertType.HTTP).isPresent()) { + sslSettingsManager.reloadSslContext(CertType.HTTP); ok(channel, (builder, params) -> builder.startObject().field("message", "updated http certs").endObject()); } else { badRequest(channel, "SSL for HTTP is disabled"); } break; case "transport": - sslSettingsManager.reloadSslContext(SSL_TRANSPORT_PREFIX); - sslSettingsManager.reloadSslContext(SSL_TRANSPORT_CLIENT_PREFIX); + sslSettingsManager.reloadSslContext(CertType.TRANSPORT); + sslSettingsManager.reloadSslContext(CertType.TRANSPORT_CLIENT); ok(channel, (builder, params) -> builder.startObject().field("message", "updated transport certs").endObject()); break; default: diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/ssl/TransportCertificatesInfoNodesAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/ssl/TransportCertificatesInfoNodesAction.java index d3ba95695f..39edfd570f 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/ssl/TransportCertificatesInfoNodesAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/ssl/TransportCertificatesInfoNodesAction.java @@ -26,14 +26,12 @@ import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.security.ssl.SslContextHandler; import org.opensearch.security.ssl.SslSettingsManager; +import org.opensearch.security.ssl.config.CertType; import org.opensearch.security.ssl.config.Certificate; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.TransportRequest; import org.opensearch.transport.TransportService; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX; - public class TransportCertificatesInfoNodesAction extends TransportNodesAction< CertificatesInfoNodesRequest, CertificatesNodesResponse, @@ -101,13 +99,13 @@ protected CertificatesInfo loadCertificates(final CertificateType certificateTyp var httpCertificates = List.of(); var transportsCertificates = List.of(); if (CertificateType.isHttp(certificateType)) { - httpCertificates = sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX) + httpCertificates = sslSettingsManager.sslContextHandler(CertType.HTTP) .map(SslContextHandler::keyMaterialCertificates) .map(this::certificatesDetails) .orElse(List.of()); } if (CertificateType.isTransport(certificateType)) { - transportsCertificates = sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX) + transportsCertificates = sslSettingsManager.sslContextHandler(CertType.TRANSPORT) .map(SslContextHandler::keyMaterialCertificates) .map(this::certificatesDetails) .orElse(List.of()); diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java index 40da35813c..d7b1bb471c 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java @@ -25,6 +25,7 @@ import org.opensearch.plugins.SecureTransportSettingsProvider; import org.opensearch.plugins.TransportExceptionHandler; import org.opensearch.security.filter.SecurityRestFilter; +import org.opensearch.security.ssl.config.CertType; import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor; import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier; import org.opensearch.threadpool.ThreadPool; @@ -33,10 +34,6 @@ import io.netty.channel.ChannelInboundHandlerAdapter; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX; - public class OpenSearchSecureSettingsFactory implements SecureSettingsFactory { private final ThreadPool threadPool; private final SslSettingsManager sslSettingsManager; @@ -70,12 +67,12 @@ public void onError(Throwable t) { @Override public Optional buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException { - return sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).map(SslContextHandler::createSSLEngine); + return sslSettingsManager.sslContextHandler(CertType.TRANSPORT).map(SslContextHandler::createSSLEngine); } @Override public Optional buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException { - return sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).map(c -> c.createSSLEngine(hostname, port)); + return sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).map(c -> c.createSSLEngine(hostname, port)); } }); } @@ -132,7 +129,7 @@ public void onError(Throwable t) { @Override public Optional buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException { - return sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).map(SslContextHandler::createSSLEngine); + return sslSettingsManager.sslContextHandler(CertType.HTTP).map(SslContextHandler::createSSLEngine); } }); } diff --git a/src/main/java/org/opensearch/security/ssl/SslSettingsManager.java b/src/main/java/org/opensearch/security/ssl/SslSettingsManager.java index 038d2d5409..381c510894 100644 --- a/src/main/java/org/opensearch/security/ssl/SslSettingsManager.java +++ b/src/main/java/org/opensearch/security/ssl/SslSettingsManager.java @@ -25,6 +25,7 @@ import org.opensearch.OpenSearchException; import org.opensearch.common.settings.Settings; import org.opensearch.env.Environment; +import org.opensearch.security.ssl.config.CertType; import org.opensearch.security.ssl.config.SslCertificatesLoader; import org.opensearch.security.ssl.config.SslParameters; @@ -64,10 +65,7 @@ import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH; import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH; import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_EXTENDED_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_SERVER_EXTENDED_PREFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.TRUSTSTORE_ALIAS; import static org.opensearch.security.ssl.util.SSLConfigConstants.TRUSTSTORE_FILEPATH; @@ -76,53 +74,53 @@ public class SslSettingsManager { private final static Logger LOGGER = LogManager.getLogger(SslSettingsManager.class); - private final Map sslSettingsContexts; + private final Map sslSettingsContexts; public SslSettingsManager(final Environment environment) { this.sslSettingsContexts = buildSslContexts(environment); } - public Optional sslConfiguration(final String sslConfigPrefix) { - return Optional.ofNullable(sslSettingsContexts.get(sslConfigPrefix)).map(SslContextHandler::sslConfiguration); + public Optional sslConfiguration(final CertType certType) { + return Optional.ofNullable(sslSettingsContexts.get(certType)).map(SslContextHandler::sslConfiguration); } - public Optional sslContextHandler(final String sslConfigPrefix) { + public Optional sslContextHandler(final CertType sslConfigPrefix) { return Optional.ofNullable(sslSettingsContexts.get(sslConfigPrefix)); } - private Map buildSslContexts(final Environment environment) { - final var contexts = new ImmutableMap.Builder(); + private Map buildSslContexts(final Environment environment) { + final var contexts = new ImmutableMap.Builder(); final var configurations = loadConfigurations(environment); - Optional.ofNullable(configurations.get(SSL_HTTP_PREFIX)) + Optional.ofNullable(configurations.get(CertType.HTTP)) .ifPresentOrElse( - sslConfiguration -> contexts.put(SSL_HTTP_PREFIX, new SslContextHandler(sslConfiguration)), + sslConfiguration -> contexts.put(CertType.HTTP, new SslContextHandler(sslConfiguration)), () -> LOGGER.warn("SSL Configuration for HTTP Layer hasn't been set") ); - Optional.ofNullable(configurations.get(SSL_TRANSPORT_PREFIX)).ifPresentOrElse(sslConfiguration -> { - contexts.put(SSL_TRANSPORT_PREFIX, new SslContextHandler(sslConfiguration)); - final var transportClientConfiguration = Optional.ofNullable(configurations.get(SSL_TRANSPORT_CLIENT_PREFIX)) + Optional.ofNullable(configurations.get(CertType.TRANSPORT)).ifPresentOrElse(sslConfiguration -> { + contexts.put(CertType.TRANSPORT, new SslContextHandler(sslConfiguration)); + final var transportClientConfiguration = Optional.ofNullable(configurations.get(CertType.TRANSPORT_CLIENT)) .orElse(sslConfiguration); - contexts.put(SSL_TRANSPORT_CLIENT_PREFIX, new SslContextHandler(transportClientConfiguration, true)); + contexts.put(CertType.TRANSPORT_CLIENT, new SslContextHandler(transportClientConfiguration, true)); }, () -> LOGGER.warn("SSL Configuration for Transport Layer hasn't been set")); return contexts.build(); } - public synchronized void reloadSslContext(final String sslConfigPrefix) { - sslContextHandler(sslConfigPrefix).ifPresentOrElse(sscContextHandler -> { - LOGGER.info("Reloading {} SSL context", sslConfigPrefix); + public synchronized void reloadSslContext(final CertType certType) { + sslContextHandler(certType).ifPresentOrElse(sscContextHandler -> { + LOGGER.info("Reloading {} SSL context", certType.name()); try { sscContextHandler.reloadSslContext(); } catch (CertificateException e) { throw new OpenSearchException(e); } - LOGGER.info("{} SSL context reloaded", sslConfigPrefix); - }, () -> LOGGER.error("Missing SSL Context for {}", sslConfigPrefix)); + LOGGER.info("{} SSL context reloaded", certType.name()); + }, () -> LOGGER.error("Missing SSL Context for {}", certType.name())); } - private Map loadConfigurations(final Environment environment) { + private Map loadConfigurations(final Environment environment) { final var settings = environment.settings(); - final var httpSettings = settings.getByPrefix(SSL_HTTP_PREFIX); - final var transpotSettings = settings.getByPrefix(SSL_TRANSPORT_PREFIX); + final var httpSettings = settings.getByPrefix(CertType.HTTP.sslConfigPrefix()); + final var transpotSettings = settings.getByPrefix(CertType.TRANSPORT.sslConfigPrefix()); if (httpSettings.isEmpty() && transpotSettings.isEmpty()) { throw new OpenSearchException("No SSL configuration found"); } @@ -132,13 +130,13 @@ private Map loadConfigurations(final Environment envir final var httpEnabled = httpSettings.getAsBoolean(ENABLED, SECURITY_SSL_HTTP_ENABLED_DEFAULT); final var transportEnabled = transpotSettings.getAsBoolean(ENABLED, SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT); - final var configurationBuilder = ImmutableMap.builder(); + final var configurationBuilder = ImmutableMap.builder(); if (httpEnabled && !clientNode(settings)) { validateHttpSettings(httpSettings); final var httpSslParameters = SslParameters.loader(httpSettings).load(true); - final var httpTrustAndKeyStore = new SslCertificatesLoader(SSL_HTTP_PREFIX).loadConfiguration(environment); + final var httpTrustAndKeyStore = new SslCertificatesLoader(CertType.HTTP.sslConfigPrefix()).loadConfiguration(environment); configurationBuilder.put( - SSL_HTTP_PREFIX, + CertType.HTTP, new SslConfiguration(httpSslParameters, httpTrustAndKeyStore.v1(), httpTrustAndKeyStore.v2()) ); LOGGER.info("TLS HTTP Provider : {}", httpSslParameters.provider()); @@ -149,26 +147,28 @@ private Map loadConfigurations(final Environment envir if (hasExtendedKeyUsageEnabled(transpotSettings)) { validateTransportSettings(transpotSettings); final var transportServerTrustAndKeyStore = new SslCertificatesLoader( - SSL_TRANSPORT_PREFIX, + CertType.TRANSPORT.sslConfigPrefix(), SSL_TRANSPORT_SERVER_EXTENDED_PREFIX ).loadConfiguration(environment); configurationBuilder.put( - SSL_TRANSPORT_PREFIX, + CertType.TRANSPORT, new SslConfiguration(transportSslParameters, transportServerTrustAndKeyStore.v1(), transportServerTrustAndKeyStore.v2()) ); final var transportClientTrustAndKeyStore = new SslCertificatesLoader( - SSL_TRANSPORT_PREFIX, + CertType.TRANSPORT.sslConfigPrefix(), SSL_TRANSPORT_CLIENT_EXTENDED_PREFIX ).loadConfiguration(environment); configurationBuilder.put( - SSL_TRANSPORT_CLIENT_PREFIX, + CertType.TRANSPORT_CLIENT, new SslConfiguration(transportSslParameters, transportClientTrustAndKeyStore.v1(), transportClientTrustAndKeyStore.v2()) ); } else { validateTransportSettings(transpotSettings); - final var transportTrustAndKeyStore = new SslCertificatesLoader(SSL_TRANSPORT_PREFIX).loadConfiguration(environment); + final var transportTrustAndKeyStore = new SslCertificatesLoader(CertType.TRANSPORT.sslConfigPrefix()).loadConfiguration( + environment + ); configurationBuilder.put( - SSL_TRANSPORT_PREFIX, + CertType.TRANSPORT, new SslConfiguration(transportSslParameters, transportTrustAndKeyStore.v1(), transportTrustAndKeyStore.v2()) ); } @@ -352,9 +352,7 @@ void openSslWarnings(final Settings settings) { + "'opensearch.unsafe.use_netty_default_allocator' system property to true" ); } else { - LOGGER.warn( - "Support for OpenSSL with Java 12+ has been removed from Open Distro Security since Elasticsearch 7.4.0. Using JDK SSL instead." - ); + LOGGER.warn("Support for OpenSSL with Java 12+ has been removed from OpenSearch Security. Using JDK SSL instead."); } } if (OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()) { diff --git a/src/main/java/org/opensearch/security/ssl/config/CertType.java b/src/main/java/org/opensearch/security/ssl/config/CertType.java new file mode 100644 index 0000000000..09a8dcfae9 --- /dev/null +++ b/src/main/java/org/opensearch/security/ssl/config/CertType.java @@ -0,0 +1,33 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.ssl.config; + +import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX; +import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX; +import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX; + +public enum CertType { + HTTP(SSL_HTTP_PREFIX), + TRANSPORT(SSL_TRANSPORT_PREFIX), + TRANSPORT_CLIENT(SSL_TRANSPORT_CLIENT_PREFIX); + + private final String sslConfigPrefix; + + private CertType(String sslConfigPrefix) { + this.sslConfigPrefix = sslConfigPrefix; + } + + public String sslConfigPrefix() { + return sslConfigPrefix; + } + +} diff --git a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java index fe1568050d..203a0c7965 100644 --- a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java +++ b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java @@ -40,6 +40,7 @@ import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.ssl.SslConfiguration; import org.opensearch.security.ssl.SslSettingsManager; +import org.opensearch.security.ssl.config.CertType; import org.opensearch.security.ssl.config.SslParameters; import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.ssl.util.SSLRequestHelper; @@ -47,10 +48,6 @@ import io.netty.handler.ssl.OpenSsl; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX; - public class SecuritySSLInfoAction extends BaseRestHandler { private static final List routes = Collections.singletonList(new Route(Method.GET, "/_opendistro/_security/sslinfo")); @@ -130,21 +127,21 @@ public void accept(RestChannel channel) throws Exception { builder.field("ssl_openssl_supports_hostname_validation", OpenSsl.supportsHostnameValidation()); builder.field( "ssl_provider_http", - sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX) + sslSettingsManager.sslConfiguration(CertType.HTTP) .map(SslConfiguration::sslParameters) .map(SslParameters::provider) .orElse(null) ); builder.field( "ssl_provider_transport_server", - sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX) + sslSettingsManager.sslConfiguration(CertType.TRANSPORT) .map(SslConfiguration::sslParameters) .map(SslParameters::provider) .orElse(null) ); builder.field( "ssl_provider_transport_client", - sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX) + sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT) .map(SslConfiguration::sslParameters) .map(SslParameters::provider) .orElse(null) diff --git a/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java b/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java index 803b1c846f..d044372291 100644 --- a/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java +++ b/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java @@ -84,7 +84,7 @@ public void failsIfCertificatesAreSame() throws Exception { } @Test - public void failsIfCertificatesNasNotValidDates() throws Exception { + public void failsIfCertificatesHasInvalidDates() throws Exception { final var sslContextHandler = sslContextHandler(); final var accessCertificate = certificatesRule.x509AccessCertificate(); diff --git a/src/test/java/org/opensearch/security/ssl/SslSettingsManagerTest.java b/src/test/java/org/opensearch/security/ssl/SslSettingsManagerTest.java index a78649e918..1aa2c47eb3 100644 --- a/src/test/java/org/opensearch/security/ssl/SslSettingsManagerTest.java +++ b/src/test/java/org/opensearch/security/ssl/SslSettingsManagerTest.java @@ -25,6 +25,7 @@ import org.opensearch.common.settings.Settings; import org.opensearch.env.Environment; import org.opensearch.env.TestEnvironment; +import org.opensearch.security.ssl.config.CertType; import io.netty.handler.ssl.ClientAuth; import io.netty.handler.ssl.SslContext; @@ -53,7 +54,6 @@ import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH; import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_EXTENDED_PREFIX; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX; import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_SERVER_EXTENDED_PREFIX; import static org.opensearch.security.support.ConfigConstants.SECURITY_SSL_ONLY; @@ -208,33 +208,30 @@ public void loadConfigurationAndBuildHSslContextForSslOnlyMode() throws Exceptio ) ); - assertThat("Loaded HTTP configuration", sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX).isPresent()); + assertThat("Loaded HTTP configuration", sslSettingsManager.sslConfiguration(CertType.HTTP).isPresent()); if (transportEnabled) { - assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat( - "Loaded Transport Client configuration", - sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).isPresent() - ); + assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT).isPresent()); + assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).isPresent()); } else { - assertThat("Didn't load Transport configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX).isEmpty()); + assertThat("Didn't load Transport configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT).isEmpty()); assertThat( "Didn't load Transport Client configuration", - sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).isEmpty() + sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).isEmpty() ); } - assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).isPresent()); + assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(CertType.HTTP).isPresent()); if (transportEnabled) { - assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Built Client SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT).isPresent()); + assertThat("Built Client SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).isPresent()); } else { - assertThat("Didn't build Transport SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).isEmpty()); - assertThat("Didn't build Client SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).isEmpty()); + assertThat("Didn't build Transport SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT).isEmpty()); + assertThat("Didn't build Client SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).isEmpty()); } assertThat( "Built Server SSL context for HTTP", - sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).map(SslContextHandler::sslContext).map(SslContext::isServer).orElse(false) + sslSettingsManager.sslContextHandler(CertType.HTTP).map(SslContextHandler::sslContext).map(SslContext::isServer).orElse(false) ); } @@ -257,24 +254,24 @@ public void loadConfigurationAndBuildSslContextForClientNode() throws Exception ) ); - assertThat("Didn't load HTTP configuration", sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX).isEmpty()); - assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Didn't load HTTP configuration", sslSettingsManager.sslConfiguration(CertType.HTTP).isEmpty()); + assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT).isPresent()); + assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).isPresent()); - assertThat("Didn't build HTTP SSL Context", sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).isEmpty()); - assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Built Client SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Didn't build HTTP SSL Context", sslSettingsManager.sslContextHandler(CertType.HTTP).isEmpty()); + assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT).isPresent()); + assertThat("Built Client SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).isPresent()); assertThat( "Built Server SSL context for Transport", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT) .map(SslContextHandler::sslContext) .map(SslContext::isServer) .orElse(false) ); assertThat( "Built Client SSL context for Transport Client", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT) .map(SslContextHandler::sslContext) .map(SslContext::isClient) .orElse(false) @@ -296,28 +293,28 @@ public void loadConfigurationAndBuildSslContexts() throws Exception { ); withHttpSslSettings(settingsBuilder); final var sslSettingsManager = new SslSettingsManager(TestEnvironment.newEnvironment(settingsBuilder.build())); - assertThat("Loaded HTTP configuration", sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX).isPresent()); - assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Loaded HTTP configuration", sslSettingsManager.sslConfiguration(CertType.HTTP).isPresent()); + assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT).isPresent()); + assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).isPresent()); - assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).isPresent()); - assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Built Transport Client SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(CertType.HTTP).isPresent()); + assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT).isPresent()); + assertThat("Built Transport Client SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).isPresent()); assertThat( "Built Server SSL context for HTTP", - sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).map(SslContextHandler::sslContext).map(SslContext::isServer).orElse(false) + sslSettingsManager.sslContextHandler(CertType.HTTP).map(SslContextHandler::sslContext).map(SslContext::isServer).orElse(false) ); assertThat( "Built Server SSL context for Transport", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT) .map(SslContextHandler::sslContext) .map(SslContext::isServer) .orElse(false) ); assertThat( "Built Client SSL context for Transport Client", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT) .map(SslContextHandler::sslContext) .map(SslContext::isClient) .orElse(false) @@ -338,23 +335,23 @@ public void loadConfigurationAndBuildTransportSslContext() throws Exception { ); final var sslSettingsManager = new SslSettingsManager(TestEnvironment.newEnvironment(settingsBuilder.build())); - assertThat("Didn't load HTTP configuration", sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX).isEmpty()); - assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Didn't load HTTP configuration", sslSettingsManager.sslConfiguration(CertType.HTTP).isEmpty()); + assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT).isPresent()); + assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).isPresent()); assertThat( "SSL configuration for Transport and Transport Client is the same", - sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX) - .flatMap(t -> sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).map(tc -> tc.equals(t))) + sslSettingsManager.sslConfiguration(CertType.TRANSPORT) + .flatMap(t -> sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).map(tc -> tc.equals(t))) .orElse(false) ); - assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).isEmpty()); - assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Built Transport Client SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(CertType.HTTP).isEmpty()); + assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT).isPresent()); + assertThat("Built Transport Client SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).isPresent()); assertThat( "Built Server SSL context for Transport", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT) .map(SslContextHandler::sslContext) .map(SslContext::isServer) .orElse(false) @@ -362,7 +359,7 @@ public void loadConfigurationAndBuildTransportSslContext() throws Exception { ); assertThat( "Built Client SSL context for Transport Client", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT) .map(SslContextHandler::sslContext) .map(SslContext::isClient) .orElse(false) @@ -407,22 +404,22 @@ public void loadConfigurationAndBuildExtendedTransportSslContexts() throws Excep ) ); - assertThat("Didn't load HTTP configuration", sslSettingsManager.sslConfiguration(SSL_HTTP_PREFIX).isEmpty()); - assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Didn't load HTTP configuration", sslSettingsManager.sslConfiguration(CertType.HTTP).isEmpty()); + assertThat("Loaded Transport configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT).isPresent()); + assertThat("Loaded Transport Client configuration", sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).isPresent()); assertThat( "SSL configuration for Transport and Transport Client is not the same", - sslSettingsManager.sslConfiguration(SSL_TRANSPORT_PREFIX) - .flatMap(t -> sslSettingsManager.sslConfiguration(SSL_TRANSPORT_CLIENT_PREFIX).map(tc -> !tc.equals(t))) + sslSettingsManager.sslConfiguration(CertType.TRANSPORT) + .flatMap(t -> sslSettingsManager.sslConfiguration(CertType.TRANSPORT_CLIENT).map(tc -> !tc.equals(t))) .orElse(true) ); - assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(SSL_HTTP_PREFIX).isEmpty()); - assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX).isPresent()); - assertThat("Built Transport Client SSL Context", sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX).isPresent()); + assertThat("Built HTTP SSL Context", sslSettingsManager.sslContextHandler(CertType.HTTP).isEmpty()); + assertThat("Built Transport SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT).isPresent()); + assertThat("Built Transport Client SSL Context", sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT).isPresent()); assertThat( "Built Server SSL context for Transport", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT) .map(SslContextHandler::sslContext) .map(SslContext::isServer) .orElse(false) @@ -430,7 +427,7 @@ public void loadConfigurationAndBuildExtendedTransportSslContexts() throws Excep ); assertThat( "Built Client SSL context for Transport Client", - sslSettingsManager.sslContextHandler(SSL_TRANSPORT_CLIENT_PREFIX) + sslSettingsManager.sslContextHandler(CertType.TRANSPORT_CLIENT) .map(SslContextHandler::sslContext) .map(SslContext::isClient) .orElse(false)